Regenerating your Debian SSH Keys

There has been a lot of hub-bub regarding Debian’s SSL PRNG issues. I’ve also heard some people saying how this is mostly a non issue or that just upgrading your OpenSSL package will fix it. Let me state, for the record that this issue is bad. Bad Bad. Bad Bad BAD. Just upgrading your packages won’t solve it. You need to regenerate any kind of certificates on your machine after upgrading. The big thing is SSH: If you use SSH on your Debian boxes your need to regenerate your encryption keys immediately. Not doing so put you, and any of your users at risk. You’re just as safe using telnet.

After googling for a bit there was no clear tutorial on exactly HOW to upgrade your keys in Debian, so I copied and pasted what I did on my Debian box to give a quick tutorial. User input in Bold:

telstar:/home/bbj# ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N ''
Generating public/private rsa key pair.
/etc/ssh/ssh_host_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_key.
Your public key has been saved in /etc/ssh/ssh_host_key.pub.
The key fingerprint is:
c7:87:51:db:65:7b:d1:58:65:23:85:e0:a2:70:52:68 root@telstar
telstar:/home/bbj# ssh-keygen -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key -N ''
Generating public/private rsa key pair.
/etc/ssh/ssh_host_rsa_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
9d:91:02:33:cc:13:8a:7a:67:81:29:e5:50:6d:12:51 root@telstar
telstar:/home/bbj# ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N ''
Generating public/private dsa key pair.
/etc/ssh/ssh_host_dsa_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.
The key fingerprint is:
76:1e:ac:8c:49:dd:33:d5:d5:d5:bf:87:60:6f:c0:76 root@telstar
telstar:/home/bbj#

Voila! If you open up a new SSH session you should get the “ZOMG THE HOST SSH KEY HAS CHANGED!” Warning. If you get it, your keys have changed, and you are all set. Enjoy once again being secure.

EDIT: Of course, not even 20 minutes after I posted this, milw0rm tweeted a new exploit for weak Debian keys. So, fix it. Now.

One comment.

  1. Thank You for this article!!